Fix bug #78916 (php-fpm 7.4.0 don't send mail via mail())

author: Jakub Zelenka <bukka@php.net> 2019-12-08 17:57:17 +0000
committer: Jakub Zelenka <bukka@php.net> 2019-12-08 17:57:17 +0000
commit: ac042f839f4c4a2b8241fa69f8f3b01766814f1e (patch)
tree: 6e27b0e21201c3784590b093a576d37c2a9c4a82 /sapi
parent: aba070e6308519be6b44e2ec6d153bb8b1e08371 (diff)
download: php-git-ac042f839f4c4a2b8241fa69f8f3b01766814f1e.tar.gz
1 files changed, 1 insertions, 4 deletions
diff --git a/sapi/fpm/php-fpm.service.in b/sapi/fpm/php-fpm.service.in
index f58ea08af8..eab81300b7 100644
--- a/sapi/fpm/php-fpm.service.in
+++ b/sapi/fpm/php-fpm.service.in
@@ -24,9 +24,6 @@ ProtectHome=true
 # Mounts the /usr, /boot, and /etc directories read-only for processes invoked by this unit.
 ProtectSystem=full
 
-# Ensures that the service process and all its children can never gain new privileges
-NoNewPrivileges=true
-
 # Sets up a new /dev namespace for the executed processes and only adds API pseudo devices
 # such as /dev/null, /dev/zero or /dev/random (as well as the pseudo TTY subsystem) to it,
 # but no physical devices such as /dev/sda.
@@ -55,7 +52,7 @@ RestrictRealtime=true
 
 # Restricts the set of socket address families accessible to the processes of this unit.
 # Protects against vulnerabilities such as CVE-2016-8655
-RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
+RestrictAddressFamilies=AF_INET AF_INET6 AF_NETLINK AF_UNIX
 
 # Takes away the ability to create or manage any kind of namespace
 RestrictNamespaces=true
author	Jakub Zelenka <bukka@php.net>	2019-12-08 17:57:17 +0000
committer	Jakub Zelenka <bukka@php.net>	2019-12-08 17:57:17 +0000
commit	ac042f839f4c4a2b8241fa69f8f3b01766814f1e (patch)
tree	6e27b0e21201c3784590b093a576d37c2a9c4a82 /sapi
parent	aba070e6308519be6b44e2ec6d153bb8b1e08371 (diff)
download	php-git-ac042f839f4c4a2b8241fa69f8f3b01766814f1e.tar.gz